In many kind of applications is necessary the information exchange between the client and the server side of the application, using usually some of the following security features:                Authentication with a user name and its associated password or a digital certificate,        Cyphering the communication between the server and the client, using the protocol Secure Sockets Layer (SSL),        
However, even when the authentication process and the SSL (secure communications) are used, or even when the application source code is signed, it does not guaranty the integrity of the information that the client sends to the server. In other words, the client side it's the owner of the machine used by the client and it's possible the manipulation of the information existing in that machine (within memory, within files, etc.).
For example, in a web application, the client uses the web application or page to make a web request, with said application the client can modify the web request changing the contract between the server and the client, said modifications could be for example:                Modifying received parameters of the web page received from the server.        Adding new parameters in the web page.        Modifying the uniform resource locators (URL) of the web page received from the server.        Adding new URL to the web page received from the server (Performing requests on URL not received from the server).        Modifying or adding cookies to the request.        Modifying or Adding headers in the web page.        
In other words, the HTTP protocol allows making modifications at the client side so as modify all the data which are sent to the server, changing the original contract (GUI or API interactions) provided by the server. In addition, the client can try different type of attacks using legal input text fields, such as textbox fields within a form.
For this reason, the requests received in the server must be validated because the reliability and the integrity of the received data are not always guaranteed.
A solution provided in the state of the art is performing manual validations by software developers with the purpose of avoiding said vulnerabilities. The problem of this solution is not efficient and depends on the human factor; it would desirable an efficient and automatic solution.
Another solution comprises installing an application firewall performing the validation process automatically; one example of these types of solutions is the application firewall Appshield created in 1999. This firewall is a hardware solution (an appliance) located between the client and the server and processes all the requests from the client and all the responses from the server. The firewall parses all the responses and generates a cyphered text for each link and form. When the client request reaches the firewall, the application verifies whether the request is matches the data generated at the server. The problem is that the parsing process of server responses is not efficient and it would be desirable to have an efficient method to validate all the requests from the client. At the same time this kind of solutions are not easily integrable within development environments, since an additional hardware element is necessary in order to run the solutions. In consequence, is common to find integration problems when the application is deployed within production environments where the application firewall is present.
U.S. Pat. No. 8,510,827B1 relates to a method for taint tracking for security mechanism. The method “taints” the sensible information in terms of security, i.e. information that cannot be trusted and can modify the normal performance of the operating system. This method is oriented to the field of operating systems and virtualization systems. Therefore this method does not solve the lack of security in web services.
In the state of the art HDIV open-source project (hdiv.org) improves the performance offered by application firewalls because HDIV does not need to parse the response of web applications, reading all the information from memory within the applications. In other words, HDIV extends the behaviour of some web frameworks (Struts 1, Struts 2, JSF, Spring MVC, Grails) controlling the information flow of the data. On the other hand, HDIV does not implement some of the functionalities implemented by the firewalls, such as stopping DOS attacks or networks attacks. At the same time, HDIV may apply blacklist and whitelist validation patterns against editable data, but does not offer a solution to detect vulnerabilities within source code to avoid risks related with editable data such as SQL injection or XSS web risks.
The technical problem which is found in the state of the art is how to overcome the risks of the manipulation of applications from client side, preferably in HTTP, in an automatically and efficient way avoiding the need of modifying the source code of applications.
Although some of the state of the art solutions try to control the data flow between the server and the client, existing solutions are not optimum in the implementation strategy, as it is explained herein below.
Existing information flow control systems between server and client based on application firewalls, which in the present description is referred to as external implementation strategy, generate an excessive overload or performance overhead since the parsing is carried out on the HTML code coming from the server. At the same time existing JVM (Java Virtual Machine) internal data flow control systems based on compiled code transformation technique, in some cases known as instrumentation, such as HP Fortify or Contrast security products, monitors and control all the input data coming from web browsers at client's side, generating an extra work due to the monitoring of the whole set of received data.
There is a need for a more efficient data flow control system controlling and understanding the information generated originally at the server.